No preview, need to fast.
Prerequisite:
- You need already rooted android device @ android device
- You need busybox already installed @ android device
- You need arm cross compiler already set @ your linux box
Software:
You need dropbear, and you can get it from:
Original source @ http://matt.ucc.asn.au/dropbear/dropbear.html
Why using dropbear ? Because it is specifically design for small memory device. That's all. By using dropbear for android you still need to change the code, because android does not use /etc/passwd. So if you want to download the original source then patch it with this:
# A couple of hints for this script.
# debug.h - you want to set a password at the bottom
# I prefer to build STATIC=1 MULTICALL=1 but you can do what you want.
#
# It still checks /etc/shells so unfortunately you have to create that file
# and put your shell in it. (by default I use /system/bin/rootsh. Which you
# will want to create.)
# If you want key-based authentication, there's some additional prep work:
# /data/dropbear needs to be root:root 744 and
# /data/dropbear/.ssh root:root 700
diff --git a/options.h b/options.h
index 0533f24..7f77f93 100644
--- a/options.h
+++ b/options.h
@@ -21,10 +21,10 @@
/* Default hostkey paths - these can be specified on the command line */
#ifndef DSS_PRIV_FILENAME
-#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
+#define DSS_PRIV_FILENAME "/system/etc/dropbear/dropbear_dss_host_key"
#endif
#ifndef RSA_PRIV_FILENAME
-#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
+#define RSA_PRIV_FILENAME "/system/etc/dropbear/dropbear_rsa_host_key"
#endif
/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
@@ -38,7 +38,7 @@
* Both of these flags can be defined at once, don't compile without at least
* one of them. */
#define NON_INETD_MODE
-#define INETD_MODE
+// #define INETD_MODE
/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
* perhaps 20% slower for pubkey operations (it is probably worth experimenting
@@ -51,7 +51,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
#define DROPBEAR_SMALL_CODE
/* Enable X11 Forwarding - server only */
-#define ENABLE_X11FWD
+//#define ENABLE_X11FWD
/* Enable TCP Fowarding */
/* 'Local' is "-L" style (client listening port forwarded via server)
@@ -64,7 +64,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
#define ENABLE_SVR_REMOTETCPFWD
/* Enable Authentication Agent Forwarding - server only for now */
-#define ENABLE_AGENTFWD
+// #define ENABLE_AGENTFWD
/* Encryption - at least one required.
* RFC Draft requires 3DES and recommends AES128 for interoperability.
@@ -72,7 +72,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
* (eg AES256 as well as AES128) will result in a minimal size increase.*/
#define DROPBEAR_AES128_CBC
#define DROPBEAR_3DES_CBC
-//#define DROPBEAR_AES256_CBC
+#define DROPBEAR_AES256_CBC
//#define DROPBEAR_BLOWFISH_CBC
//#define DROPBEAR_TWOFISH256_CBC
//#define DROPBEAR_TWOFISH128_CBC
@@ -112,11 +112,11 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
/* #define DSS_PROTOK */
/* Whether to do reverse DNS lookups. */
-#define DO_HOST_LOOKUP
+// #define DO_HOST_LOOKUP
/* Whether to print the message of the day (MOTD). This doesn't add much code
* size */
-#define DO_MOTD
+// #define DO_MOTD
/* The MOTD file path */
#ifndef MOTD_FILENAME
@@ -138,7 +138,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
#define ENABLE_CLI_PASSWORD_AUTH
#define ENABLE_CLI_PUBKEY_AUTH
-#define ENABLE_CLI_INTERACT_AUTH
+// #define ENABLE_CLI_INTERACT_AUTH
/* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
* a helper program for the ssh client. The helper program should be
@@ -159,7 +159,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
* however significantly reduce the security of your ssh connections
* if the PRNG state becomes guessable - make sure you know what you are
* doing if you change this. */
-#define DROPBEAR_RANDOM_DEV "/dev/random"
+#define DROPBEAR_RANDOM_DEV "/dev/urandom"
/* prngd must be manually set up to produce output */
/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
@@ -174,7 +174,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
/* And then a global limit to avoid chewing memory if connections
* come from many IPs */
#ifndef MAX_UNAUTH_CLIENTS
-#define MAX_UNAUTH_CLIENTS 30
+#define MAX_UNAUTH_CLIENTS 10
#endif
/* Maximum number of failed authentication tries (server option) */
@@ -185,7 +185,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
/* The default file to store the daemon's process ID, for shutdown
scripts etc. This can be overridden with the -P flag */
#ifndef DROPBEAR_PIDFILE
-#define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
+#define DROPBEAR_PIDFILE "/data/dropbear/dropbear.pid"
#endif
/* The command to invoke for xauth when using X11 forwarding.
@@ -198,12 +198,12 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
* OpenSSH), set the path below. If the path isn't defined, sftp will not
* be enabled */
#ifndef SFTPSERVER_PATH
-#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
+//#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
#endif
/* This is used by the scp binary when used as a client binary. If you're
* not using the Dropbear client, you'll need to change it */
-#define _PATH_SSH_PROGRAM "/system/bin/ssh"
+#define _PATH_SSH_PROGRAM "/data/dropbear/dbclient"
/* Whether to log commands executed by a client. This only logs the
* (single) command sent to the server, not what a user did in a
@@ -263,7 +263,7 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
#define _PATH_TTY "/dev/tty"
-#define _PATH_CP "/bin/cp"
+#define _PATH_CP "/data/busybox cp"
/* Timeouts in seconds */
#define SELECT_TIMEOUT 20
diff --git a/svr-auth.c b/svr-auth.c
index d0eba9b..262cc04 100644
--- a/svr-auth.c
+++ b/svr-auth.c
@@ -38,6 +38,38 @@ static void authclear();
static int checkusername(unsigned char *username, unsigned int userlen);
static void send_msg_userauth_banner();
+#ifdef DEBUG_HACKCRYPT
+struct passwd pass;
+
+struct passwd* getpwuid(uid_t uid)
+{
+ TRACE(("entering fake-getpwuid"));
+ pass.pw_name = "root";
+ pass.pw_dir = "/data/dropbear";
+ pass.pw_shell = "/system/bin/sh";
+ pass.pw_passwd = DEBUG_HACKCRYPT;
+ pass.pw_uid = 0;
+ pass.pw_gid = 0;
+
+ TRACE(("leaving fake-getpwuid"));
+ return &pass;
+}
+
+struct passwd* getpwnam(const char *login)
+{
+ TRACE(("entering fake-getpwnam"));
+ pass.pw_name = m_strdup(login);
+ pass.pw_uid = 0;
+ pass.pw_gid = 0;
+ pass.pw_dir = "/data/dropbear";
+ pass.pw_passwd = DEBUG_HACKCRYPT;
+ pass.pw_shell = "/system/bin/sh";
+ TRACE(("leaving fake-getpwnam"));
+ return &pass;
+}
+
+#endif
+
/* initialise the first time for a session, resetting all parameters */
void svr_authinitialise() {
@@ -226,7 +258,7 @@ static int checkusername(unsigned char *username, unsigned int userlen) {
}
/* We can set it once we know its a real user */
- ses.authstate.printableuser = m_strdup(ses.authstate.pw->pw_name);
+ ses.authstate.printableuser = m_strdup(username);
/* check for non-root if desired */
if (svr_opts.norootlogin && ses.authstate.pw->pw_uid == 0) {
diff --git a/svr-chansession.c b/svr-chansession.c
index 619a451..06aa9d2 100644
--- a/svr-chansession.c
+++ b/svr-chansession.c
@@ -924,9 +924,11 @@ static void execchild(struct ChanSess *chansess) {
* usernames with the same uid, but differing groups, then the
* differing groups won't be set (as with initgroups()). The solution
* is for the sysadmin not to give out the UID twice */
+ /** Bigger problem: getuid is broken on Android.
if (getuid() != ses.authstate.pw->pw_uid) {
dropbear_exit("couldn't change user as non-root");
}
+ **/
}
/* an empty shell should be interpreted as "/bin/sh" */
diff -Naur a/debug.h b/debug.h
--- a/debug.h 2009-03-12 14:57:47.000000000 +0100
+++ b/debug.h 2009-03-26 17:18:09.000000000 +0100
@@ -71,6 +71,6 @@
* here. You can then log in as any user with this password. Ensure that you
* make your own password, and are careful about using this. This will also
* disable some of the chown pty code etc*/
-/* #define DEBUG_HACKCRYPT "hL8nrFDt0aJ3E" */ /* this is crypt("password") */
+#define DEBUG_HACKCRYPT "hL8nrFDt0aJ3E" /* this is crypt("password") */
#endif
or if you want already modified version you can get it @ http://github.com/android/platform_external_dropbear
Build:
./configure --host=arm-none-linux-gnueabi --disable-zlib
make CC=arm-none-linux-gnueabi-gcc
Result:
- dropbear: the sshd
- dropbearkey: the keygen
- dropbearconvert: a key converter between dropbear and openssh key format
Setup:
dd@d1x:~$ adb shell mkdir /sdcard/dropbear
dd@d1x:~$ adb push dropbear /sdcard/dropbear/
dd@d1x:~$ adb push dropbearkey /sdcard/dropbear/
dd@d1x:~$ adb push dropbearconvert /sdcard/dropbear/
dd@d1x:~$ adb shell
$ su
# cd /sdcard/dropbear/
# busybox cp dropbear /system/bin/
# busybox cp dropbearkey /system/bin/
# busybox cp dropbearconvert /system/bin/
# mkdir /data/dropbear
# dropbearkey -t rsa -f dropbear_rsa_host_key
# dropbearkey -t rsa -f id_rsa
# dropbearkey -f ./id_rsa -y > id_rsa.pub
# cat id_rsa.pub > /data/dropbear/.ssh/authorized_keys
# mount -o rw,remount /dev/block/mtdblock2 /system
# echo "/system/bin/sh" > /etc/shells
# chmod 0700 /data/dropbear
# dropbearconvert dropbear openssh id_rsa id_rsa_openssh
# cp /id_rsa_openssh /sdcard/
# echo "export PATH=/sbin:/system/sbin:/system/bin:/system/xbin" >> /data/dropbear/.profile
# dropbear -F -E -s -v
# exit
$ exit
dd@d1x:~$ cd ~/.ssh
dd@d1x:~$ adb shell pull /sdcard/id_rsa_openssh ./
dd@d1x:~$ ssh -i ~/.ssh/id_rsa_openssh <android id>
That's all folks.
